Fraudsters’ new weapon to target Android smartphones: APK files

A Venkatesh, DSP (Cyber Crime), Chandigarh Police, said: “.apk stands for Android Package Kit — it’s the installation file for Android apps, similar to .exe for Windows. These files are usually downloaded only from trusted sources (like the Google Play Store). However, cybercriminals trick victims into downloading malicious APKs directly through links shared on WhatsApp, SMS, or social media.”

As per the Cyber Police, the cyber attackers send messages such as “install this app to get your loan approved”, “update your KYC to avoid account suspension”, “get your parcel delivery confirmation”, and “download this app to earn cashback/rewards”.

“These messages create urgency and trust, often using logos of banks, courier companies, or government agencies,” said the police.

The victim clicks on the shared link and downloads the malicious APK (outside the Play Store), and when installed, the app asks for dangerous permissions, such as access to SMS (to read OTPs), screen recording or accessibility service (to monitor inputs), contacts, camera, and storage, and most victims grant permissions without reading.

Once installed, the fake app can steal banking credentials entered on the phone, read OTPs and intercept SMS messages, mirror the screen using accessibility features, install RATs (Remote Access Trojans) to control the device remotely, forward all information to the attacker’s command-and-control (C2) server, said the cyber police.

As per the Cyber Police DSP, by using the stolen information, the attackers can transfer money using UPI or banking apps, and can change account password, or can also impersonate the victim for further scams, and sometimes even lock the device for ransom.

In a recent complaint received by the Cyber Crime Police of Chandigarh, a Chandigarh resident received an SMS stating that “Your KYC is pending”, and download this RBI-verified app to avoid account freeze. As he downloaded the app and entered his bank details, and granted permissions, within minutes, Rs 1.5 lakh was transferred from his account to multiple mule accounts.

In another similar complaint related to APK file installation, the fraudster initially sent an APK file link to the complainant, who was using an iPhone. Since iPhones do not support APK installations, the Apple device automatically rejected the download.

“However to bypass this restriction, the fraudster deceitfully convinced the complainant to forward the same link to her husband’s Android phone, stating that the loan verification process could be completed from there. Trusting the message, her husband downloaded and installed the malicious APK file on his Android device. Once installed, the fake application requested multiple sensitive permissions, including access to SMS, storage, and accessibility services. Shortly after granting these permissions, the couple observed unauthorised financial transactions from their bank account amounting to several thousand rupees. The subsequent investigation revealed that the attackers had used the stolen banking credentials and OTPs, which were secretly captured by the malicious application, to carry out these fraudulent transactions,” said the police. Both the complaints are currently under probe of the Chandigarh Police.

How to protect oneself from APK file fraud

* Never install .apk files from links or unknown sources

* Enable Play Protect in Android settings

* Disable “install from unknown sources” option

* Check app permissions before granting them

* Verify with the official bank or organisation before acting on such messages

* Report such cases immediately at 1930 or cybercrime.gov.in